RSS

How-To Geek

Hackers aren’t inherently bad — the word “hacker” doesn’t mean “criminal” or “bad guy.” Geeks and tech writers often refer to “black hat,” “white hat,” and “gray hat” hackers. These terms define different groups of hackers based on their behavior.

The definition of the word “hacker” is controversial, and could mean either someone who compromises computer security or a skilled developer in the free software or open-source movements.

Black Hats

Black-hat hackers, or simply “black hats,” are the type of hacker the popular media seems to focus on. Black-hat hackers violate computer security for personal gain (such as stealing credit card numbers or harvesting personal data for sale to identity thieves) or for pure maliciousness (such as creating a botnet and using that botnet to perform DDOS attacks against websites they don’t like.)

Media portrayals of black-hat hackers may be accompanied by silly stock photos like the below one, which is intended as a parody.

White Hats

White-hat hackers are the opposite of the black-hat hackers. They’re the “ethical hackers,” experts in compromising computer security systems who use their abilities for good, ethical, and legal purposes rather than bad, unethical, and criminal purposes.

For example, many white-hat hackers are employed to test an organizations’ computer security systems. The organization authorizes the white-hat hacker to attempt to compromise their systems. The white-hat hacker uses their knowledge of computer security systems to compromise the organization’s systems, just as a black hat hacker would. However, instead of using their access to steal from the organization or vandalize its systems, the white-hat hacker reports back to the organization and informs them of how they gained access, allowing the organization to improve their defenses. This is known as “penetration testing,” and it’s one example of an activity performed by white-hat hackers.

A white-hat hacker who finds a security vulnerability would disclose it to the developer, allowing them to patch their product and improve its security before it’s compromised. Various organizations pay “bounties” or award prizes for revealing such discovered vulnerabilities, compensating white-hats for their work.

Gray Hats

Very few things in life are clear black-and-white categories. In reality, there’s often a gray area. A gray-hat hacker falls somewhere between a black hat and a white hat. A gray hat doesn’t work for their own personal gain or to cause carnage, but they may technically commit crimes and do arguably unethical things.

For example, a black hat hacker would compromise a computer system without permission, stealing the data inside for their own personal gain or vandalizing the system. A white-hat hacker would ask for permission before testing the system’s security and alert the organization after compromising it. A gray-hat hacker might attempt to compromise a computer system without permission, informing the organization after the fact and allowing them to fix the problem. While the gray-hat hacker didn’t use their access for bad purposes, they compromised a security system without permission, which is illegal.

If a gray-hat hacker discovers a security flaw in a piece of software or on a website, they may disclose the flaw publically instead of privately disclosing the flaw to the organization and giving them time to fix it. They wouldn’t take advantage of the flaw for their own personal gain — that would be black-hat behavior — but the public disclosure could cause carnage as black-hat hackers tried to take advantage of the flaw before it was fixed.

“Black hat,” “white hat,” and “gray hat” can also refer to behavior. For example, if someone says “that seems a bit black hat,” that means that the action in question seems unethical.

I've never even heard the term "gray hat" hacker, but it's an interesting distinction.

INAL, but as far as I can tell from the law, you either have permission to enter a system or you don't. We have seen several prosecutions now for otherwise innocent transgressions. the AT&T iPad "hack", which involved nothing more than changing a URL, or the kid who discovered a flaw in his University's web site and got treated very badly for reporting it.

With CISPA looming, it's going to be even more critical that so-called gray hats not engage in this activity: it's obvious that companies and law enforcement want to crack down a lot harder on computer crime, and the Zero Cools of the world will get caught up right alongside the Plagues.

Either you have permission to enter a system or you don't; I don't see any other distinction, both morally or under the law.

Legally, there isn't one. White/Black/Grey Hat isn't usually a matter of legality, although there are some cases where the laws are unclear or just haven't been written. Generally though, matters of law are "white" or "black" with little room in between.

Morality is a bit more flexible though, and this is where the "grey" term comes in. Let me give you some examples.

Hacker who always asks for permission, and discloses vulnerabilities only to the affected parties and/or public per processes approved by the affected parties: White Hat.
Hacker who rarely, if ever, asks for permission and keeps vulnerability data for his own use or sells it to other malicious actors: Black Hat.

That's as clear-cut as it gets. The greying comes in when you have someone who uses Black Hat methods (e.g.: pentesting without permission) to achieve White Hat goals (e.g.: informing vendors of vulnerabilities in their product).

This is the functional (though not legal) equivalent of someone going around the neighborhood and jiggling door knobs, then telling homeowners that their doors were left unlocked. Is that guy maybe a little creepy? Sure. But you can't argue (with the presumption that this is all that he's done) that his intentions are not noble.

In terms of testing the security of your systems, the grey hats aren't doing much that black hats aren't already doing. The grey hats are just nice enough to not be doing damage while they're at it, and will actually tell you about it when they're done.

My real concern has always been one of permission. If you don't have permission to do penetration testing of a system, you are violating the law. Noble purposes or not, it's illegal and you can see jail time.

Now the guy who goes jiggling doorknobs? He can argue that he was "testing the neighborhood security", but he can still be arrested for trespassing. He could even be shot by a scared homeowner, and the police would probably call it self-defense.

I'm not condemning curiosity; I'm just pointing out that the best of intentions don't matter when someone decides to punish you for cracking their security.